US10846402B2ActiveUtilityA1

Security scanning method and apparatus for mini program, and electronic device

45
Assignee: ADVANCED NEW TECHNOLOGIES CO LTDPriority: Oct 9, 2017Filed: Jan 8, 2020Granted: Nov 24, 2020
Est. expiryOct 9, 2037(~11.3 yrs left)· nominal 20-yr term from priority
G06F 21/562G06F 21/577G06F 21/556G06F 21/564G06F 21/566G06F 2221/033G06F 21/54
45
PatentIndex Score
0
Cited by
35
References
20
Claims

Abstract

Methods, systems, and devices, including computer programs encoded on computer storage media, for security scanning a mini program are provided. One of the methods includes: obtaining a target mini program to be released, invoking a security scanning strategy combination to perform multi-dimensional security scanning on the target mini program; and when the target mini program passes the multi-dimensional security scanning, releasing the target mini program to a server. The multi-dimensional security scanning may include malicious code scanning on the target mini program, security loophole scanning on the target mini program, and security loophole scanning on a server interface of the target mini program.

Claims

exact text as granted — not AI-modified
What is claimed is: 
     
       1. A security scanning method for a mini program, comprising:
 obtaining a target mini program to be released; 
 invoking a security scanning strategy combination to perform multi-dimensional security scanning on the target mini program, wherein the multi-dimensional security scanning comprises malicious code scanning on the target mini program, security loophole scanning on the target mini program, and security loophole scanning on a server interface of the target mini program; 
 wherein the security loophole scanning on the target mini program comprises one or more loophole scanning programs including:
 determining whether the target mini program includes a sensitive information leaking loophole, 
 determining whether the target mini program includes an HTML code loophole, 
 determining whether the target mini program includes a JS code loophole, and 
 determining whether the target mini program includes an unauthorized external resource reference loophole; and 
 
 when the target mini program passes the multi-dimensional security scanning, releasing the target mini program to a server. 
 
     
     
       2. The method according to  claim 1 , wherein the malicious code scanning on the target mini program comprises one or more of:
 determining whether the target mini program includes a payload; 
 determining whether a malicious invoking function is present in functions invoked by the target mini program, wherein the malicious invoking function is an unauthorized invoking function for the target mini program; and 
 determining whether content invoked by the target mini program includes non-compliant content. 
 
     
     
       3. The method according to  claim 2 , wherein the determining whether the target mini program includes a payload comprising:
 parsing codes and data in a load of the target mini program; and 
 comparing the parsed codes and data with samples of known payloads. 
 
     
     
       4. The method according to  claim 2 , wherein the determining whether content invoked by the target mini program includes non-compliant content comprises:
 parsing media and text content invoked by the target mini program; and 
 comparing the parsed media and text content with non-compliant content samples. 
 
     
     
       5. The method according to  claim 1 , wherein the security loophole scanning on the target mini program comprises:
 performing a comparison with a loophole database by one or more loophole scanners corresponding to the one or more loophole scanning programs. 
 
     
     
       6. The method according to  claim 1 , wherein the security loophole scanning on a server interface of the target mini program comprises:
 parsing the server interface of the target mini program; and 
 performing interface loophole scanning on the parsed server interface. 
 
     
     
       7. The security scanning method according to  claim 1 , further comprising:
 blocking a release flow of the target mini program responsive to the target mini program not passing the multi-dimensional security scanning. 
 
     
     
       8. A security scanning device for a mini program, comprising one or more processors and a non-transitory computer-readable memory coupled to the one or more processors and configured with instructions executable by the one or more processors to perform operations comprising:
 obtaining a target mini program to be released; 
 invoking a security scanning strategy combination to perform multi-dimensional security scanning on the target mini program, wherein the multi-dimensional security scanning comprises malicious code scanning on the target mini program, security loophole scanning on the target mini program, and security loophole scanning on a server interface of the target mini program; 
 wherein the security loophole scanning on the target mini program comprises one or more loophole scanning programs including:
 determining whether the target mini program includes a sensitive information leaking loophole, 
 determining whether the target mini program includes an HTML code loophole, 
 determining whether the target mini program includes a JS code loophole, and 
 determining whether the target mini program includes an unauthorized external resource reference loophole; and 
 
 when the target mini program passes the multi-dimensional security scanning, releasing the target mini program to a server. 
 
     
     
       9. The device according to  claim 8 , wherein the malicious code scanning on the target mini program comprises one or more of:
 determining whether the target mini program includes a payload; 
 determining whether a malicious invoking function is present in functions invoked by the target mini program, wherein the malicious invoking function is an unauthorized invoking function for the target mini program; and 
 determining whether content invoked by the target mini program includes non-compliant content. 
 
     
     
       10. The device according to  claim 9 , wherein the determining whether the target mini program includes a payload comprises:
 parsing codes and data in a load of the target mini program; and 
 comparing the parsed codes and data with samples of known payloads. 
 
     
     
       11. The device according to  claim 9 , wherein the determining whether content invoked by the target mini program includes non-compliant content comprises:
 parsing media and text content invoked by the target mini program; and 
 comparing the parsed media and text content with non-compliant content samples. 
 
     
     
       12. The device according to  claim 8 , wherein the security loophole scanning on the target mini program comprises:
 performing comparison with a loophole database by one or more loophole scanners corresponding to the one or more loophole scanning programs. 
 
     
     
       13. The device according to  claim 8 , wherein the security loophole scanning on a server interface of the target mini program comprises:
 parsing the server interface of the target mini program; and 
 performing interface loophole scanning on the parsed server interface. 
 
     
     
       14. The device according to  claim 8 , wherein the operations further comprise:
 blocking a release flow of the target mini program responsive to the target mini program not passing the multi-dimensional security scanning. 
 
     
     
       15. A non-transitory computer-readable storage medium for security scanning for a mini program, storing instructions executable by one or more processors to cause the one or more processors to perform operations comprising:
 obtaining a target mini program to be released; 
 invoking a security scanning strategy combination to perform multi-dimensional security scanning on the target mini program, wherein the multi-dimensional security scanning comprises malicious code scanning on the target mini program, security loophole scanning on the target mini program, and security loophole scanning on a server interface of the target mini program; 
 wherein the security loophole scanning on the target mini program comprises one or more of:
 determining whether the target mini program includes a sensitive information leaking loophole; 
 determining whether the target mini program includes an HTML code loophole; 
 determining whether the target mini program includes a JS code loophole; and 
 determining whether the target mini program includes an unauthorized external resource reference loophole; and 
 
 when the target mini program passes the multi-dimensional security scanning, releasing the target mini program to a server. 
 
     
     
       16. The non-transitory computer-readable storage medium according to  claim 15 , wherein the malicious code scanning on the target mini program comprises one or more of:
 determining whether the target mini program includes a payload; 
 determining whether a malicious invoking function is present in functions invoked by the target mini program, wherein the malicious invoking function is an unauthorized invoking function for the target mini program; and 
 determining whether content invoked by the target mini program includes non-compliant content. 
 
     
     
       17. The non-transitory computer-readable storage medium according to  claim 16 , wherein the determining whether the target mini program includes a payload comprises:
 parsing codes and data in a load of the target mini program; and 
 comparing the parsed codes and data with samples of known payloads. 
 
     
     
       18. The non-transitory computer-readable storage medium according to  claim 16 , wherein the determining whether content invoked by the target mini program includes non-compliant content comprises:
 parsing media and text content invoked by the target mini program; and 
 comparing the parsed media and text content with non-compliant content samples. 
 
     
     
       19. The non-transitory computer-readable storage medium according to  claim 15 , wherein the security loophole scanning on a server interface of the target mini program comprises:
 parsing the server interface of the target mini program; and 
 performing interface loophole scanning on the parsed server interface. 
 
     
     
       20. The non-transitory computer-readable storage medium according to  claim 15 , wherein the operations further comprise:
 blocking a release flow of the target mini program responsive to the target mini program not passing the multi-dimensional security scanning.

Cited by (0)

No later patents cite this yet.

References (0)

No backward citations on record.